Microsoft Teams IDOR Vulnerability - 25 June 2023

149/2023
High
June 25, 2023
1:52 pm

Security researchers have discovered an unpatched vulnerability in Microsoft Teams that could allow remote attackers to send malware to unsuspecting employees.

Microsoft Teams’ default configuration allows users from outside (external tenants) of their organization to reach out to their staff members.

The application doesn’t allow external tenants from sending files. However, security researchers discovered an Insecure Direct Object References “IDOR” vulnerability that allows external tenants to bypass security controls and send malware to internal staff members.

The security bypass is achieved by sending a POST request to “/v1/users/ME/conversations/<RECIPIENT_ID>/messages” and switching the internal and external (target employee) recipient IDs.

Threat actors can easily buy a domain similar to a target organization’s and register it with Microsoft 365, thus setting up a legitimate Teams tenancy and not having to build complex phishing infrastructure.

It should be highlighted that when this vulnerability is combined with social engineering via Teams it becomes very easy to start a back-and-forth conversation, jump on a call, share screens, and more.

The threat actors abused this technique to deliver the C2 malware payload directly into the target inbox to gain the initial foothold.

The researchers say this bug provides a “potentially lucrative avenue” for threat actors because of how straightforward, simple and reliable it is for them to deliver malware to organizations without the need to craft socially-engineered email messages with malicious links or files.

Mitigations

Review if there is a business requirement for external tenants to have permission to message your staff.
If you are not currently using Teams for regular communication with external tenants, remove the option altogether. This can be done in Microsoft Teams Admin Center > External Access.
If you do require communication with external tenants, it’s advised to change the security settings to only allow communication with certain allow-listed domains until further notifications/patches from Microsoft. This can be done in Microsoft Teams Admin Center > External Access.
Educate staff about the potential for productivity apps, such as Teams, Slack, and SharePoint, to be used in social engineering campaigns.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.